---
title: "Project Level Roles for AWS"
---

Multi-account setups are pretty common. In many cases you want to use a different account for
different sets of projects. If you wish to achieve this outside of digger and only use profile names and set
them directly in terraform you can use this as an [example repository](https://github.com/diggerhq/demo-assume-role-multi-account-aws)

You can also use digger.yml to specify which roles should be used for which repository. In this case you specify a main
role in the workflow file using `aws-role-to-assume` (or using keys) and inside the repo if you wish to assume
a different role for a specific project you specify an `aws_role_to_assume` under that project. 
If you only specify one role (either `state` or `command`) it is assumed that both options are the same role.

Example digger.yml:

```
projects:
   - name: dev
      dir: ./dev
      aws_role_to_assume:
         state: "arn:/blabla/accid/backenddev"
         command: "arn:/blabla/accid/devaccount"
         aws_role_region: us-east-1
   - name: prod
      dir: ./prod
      aws_role_to_assume:
         state: "arn:/blabla/accid/backendprod"
         command: "arn:/blabla/accid/prodaccount"
         aws_role_region: us-east-1
```

You can also use project-level assume role with [generated projects](/ce/howto/generate-projects):

```
generate_projects:
  blocks:
    - include: "environments/core/**"
      aws_role_to_assume:
        aws_role_region: "us-east-2" 
        state: "arn:/blabla/accid/backenddev"
        command: "arn:/blabla/accid/devaccount"
```

# Assume role with cognito identity

The github action JWT token includes alot of useful fields such as `ref`, `sha`, `runner_environment` etc. however it is
challenging to write an AWS trust policy to match for these fields since only `aud` and `sub` fields are supported. Using cognito
identity it is possible to remap the fields into principal tags which allows them to be matched in the trust policy. More information
about this is in this article: https://catnekaise.github.io/github-actions-abac-aws/cognito-identity/.

If you wish to perform this mapping in digger you can specify an additional aws_cognito_oidc configuration as follows:

```
  - name: "my-secure-digger-project"
    dir: "prod"
    workflow: default
    workflow_file: digger_workflow.yml
    aws_role_to_assume:
      aws_role_region: "us-west-2"
      command: "arn:aws:iam::00000000000:role/github-action-deployment-role"
    aws_cognito_oidc:
      cognito_identity_pool_id: "us-east-1:00000000-0000-0000-0000-000000000000"
      aws_region: "us-east-1"
      aws_account_id: "000000000000"
```

Once this is specified you will be able to match values in additional configuration as highlighted in the url above.